The SWIFT Approach to Payments Security

Posted by Tiffany Taylor and Srinivas Pachigolla on 25 May 2021

Ensuring the security of Alacriti’s payments environment is an ongoing process. It demands collaboration and cooperation across the entire organization. Our role in facilitating electronic bill payments means we are subject to the strenuous requirements set forth by HIPAA, HiTech, and PCI DSS compliance. As more threats and bad actors emerge, we too must evolve to provide a safe electronic solution that our clients and end-users can trust.

Our security discipline also demands that we stay aware of and communicate other security approaches to our community. Another development within the last couple of years is SWIFT’s Customer Security Programme (CSP). It is another way to help protect the health of the financial system and the counterparties within it.

Here’s an introduction to SWIFT, its CSP, and information on its Customer Security Controls Framework, which lays the foundation of the program.

What is SWIFT?

SWIFT is an acronym for the Society for the Worldwide Interbank Financial Telecommunication. SWIFT provides a platform for standard messaging and communication that connects to over 11,000 banking and securities organizations, market infrastructures, and corporate customers across the globe. The platform supports money movement worldwide by facilitating secure, standardized financial messages between organizations.

What is SWIFT’s Customer Security Programme (CSP)?

SWIFT developed its CSP to help thwart cyberattacks and the negative consequences they can have on businesses, consumers, and organizations around the world. The global ubiquity of SWIFT’s platform makes it a natural place to implement security protocol to help organizations better protect their transactions from fraud. The CSP is built around three core steps:

Organizations should understand SWIFT’s Customer Security Controls Framework
Organizations should close any gaps they identify against the controls
Organizations should self-attest their level of compliance

In 2017, SWIFT introduced CSP in self-attestation mode. Which allowed participants to familiarize themselves with the goals, framework, lifecycle steps, and threat mitigation principles of the program. In 2018, SWIFT allowed participants to build on their experience and improve their security posture with additional mandatory controls.

What is the Customer Security Controls Framework (CSCF) v2021?

The CSCF v2021 provides information on changes to controls, additional guidance, and many clarifications to existing controls and their associated implementation guidelines.

Mandatory controls include restricting internet access, segregating critical systems, preventing compromise of credentials, and detecting anomalies. Read the full framework here.

Image Source: https://www.swift.com/news-events/webinars/customer-security-controls-framework

How does SWIFT’s CSP help an organization’s overall security?

When a participating organization attests its level of compliance, that attestation can then be shared easily, in a standard manner, with counterparties. This streamlined communication can help mitigate risk and let organizations decide if certain counterparties they’re dealing with require additional controls.

How does SWIFT’s CSP help with payments?

SWIFT’s CSP also has a Payment Controls service that sends alerts for suspicious or out-of-policy messages. The Payment Controls leverage real-time payments monitoring, behavioral patterns, and independent daily reporting to help mitigate the risk of fraud.

The Bottom Line: The CSP helps SWIFT customers secure their own environments, detect fraud among their counterparties, and share information that can protect against future threats. This approach promotes both individual responsibility and shared responsibility by improving information sharing throughout the community.

* This is an update on an original post published February 2019

Alacriti tackles the complexity of managing SWIFT security and compliance head-on so SWIFT members can focus on core business activities. As a SWIFT CSP consulting provider, we have in-depth skills and expertise to plan, execute and report on security status and recommend critical improvements to meet and maintain CSP security standards. To contact a SWIFT CSP Consultant, please email swiftcsp@alacriti.com.

Tiffany Taylor Blog Contributor Tiffany Taylor is a technology marketing professional with broad expertise in a number of marketing disciplines and financial technology expertise including payments, retail and digital banking, core processing, and lending. As the owner of Tiffany Taylor Marketing, Tiffany brings a well-rounded perspective to FinTech marketing and creative content development.

Srinivas Pachigolla Sr. Manager, Operations & GRC Srinivas has extensive professional experience in information security, risk, and governance. He is a member of Alacriti's GRC Team that maintains compliance with PCI DSS, HIPAA/HiTECH, SOC (SSAE18), FFIEC, NIST, and other applicable regulations and standards. Srinivas manages a team of risk and security specialists that perform functions including risk identification, assessment, and treatment.

02 Apr 2024 Blog What is CFPB Section 1033 and How Will it Affect Financial Institutions? Discover the core elements of CFPB’s Section 1033 regulation and its effects on community banks and credit unions.
08 Feb 2023 Blog The Rules and Regulations of Online Payments Accepting online payments means that businesses are subject to regulations from various entities. Here’s an overview of rules pertaining to Nacha, the card networks, PCI DSS, and Know Your Customer (KYC).
01 Feb 2023 Blog Faster Payments Are Set to Revolutionize Modern Digital Payments When it comes to payments modernization, how does it fit into an overall seamless digital banking experience? This blog highlights the importance of ease of use and instant gratification in the user’s banking experience.